Java 23, officially released on September 17, brings a wealth of new features, including advancements in performance, security, and cryptography. The release focuses on enhancing crypto performance and bolstering security measures across various components of the Java Development Kit (JDK). These updates are designed to improve the efficiency of cryptographic operations and strengthen the overall security posture of Java applications. Key updates include enhancements to the javax.crypto package, with adjustments made to buffer sizes for CipherInputStream, improving performance and bringing it in line with other APIs like java.io.FileInputStream.
In addition to performance improvements, Java 23 introduces new configuration options for the crypto API. One notable addition is the allowLegacy attribute in the PKS11 configuration, which allows legacy checks to be bypassed when set to “true.” By default, this attribute is set to “false,” providing developers with more flexibility in managing legacy systems while maintaining modern security standards. Furthermore, improvements to SecureRandom object construction help ensure more efficient random number generation, crucial for cryptographic processes that depend on randomness for security.
The Public Key Infrastructure (PKI) component of Java 23 also received several important updates. New root Certificate Authority (CA) certificates have been added to the cacerts keystore, including two from Certainly and two from GlobalSign. These additions help maintain trust chains and ensure secure communications between systems. Additionally, the Apple security provider now supports a new keystore called KeychainStore-ROOT, which stores root certificates in the system keychain on macOS. This addition addresses prior issues with HTTP connections failing due to the JDK being unable to locate the appropriate root certificate.
Kerberos security has also been improved in JDK 23. A new property, jdk.security.krb5.name.case.sensitive, allows for case-sensitive lookups of Kerberos principal names in keytab and credential cache files, addressing a previous limitation where principal names were treated as case-insensitive. Additionally, debugging output for Kerberos has been redirected to standard error, making it easier for developers to troubleshoot and analyze authentication issues. Another change to note is the modification in the getSubject method, which now throws an UnsupportedOperationException unless a security manager is enabled, anticipating a future update where this method will consistently throw the exception. These updates, along with various debug options and security enhancements, contribute to making Java 23 a more secure and robust platform for developers.